The present invention relates to network security, in particular of networks which use access points for wireless connection. In this context an access point is a network provider that can provide a wireless link to devices, such as a user device or terminal and a wired (or potentially wireless) link to a network, allowing device access to the network in question. The access point, or wireless access point (WAP) may use Wi-Fi, IEEE 802.11 or related standards. It usually connects to a router (via a wired network) as a standalone device, but it can also be an integral component of the router itself
The devices can be any form of device allowing wireless connection, such as any laptop, PC, mobile or cellular telephone, personal assistant device etc. Usually the device is owned by and specific to an individual.
This invention is of particular relevance to the potential security risks for enterprise (corporate/business or firm) networks in implementing a BYOD (Bring Your Own Device) policy in the office. A BYOD policy allows employees to bring any personal device of their choice into the office or other work environment and use it for official work. While it can improve the productivity of the employees and reduce the IT related costs for the enterprise, it can open up a series of issues related to secure handling of official data.
BYOD is a novel trend sweeping through the enterprise world. This trend is powered mainly by the plethora of smart devices (working on different operating systems) now available in the market. The employees own such smart devices for their personal use and request that the same devices be used for some or all of their official work. This reduces the number of devices they have to carry and also enables them to work on a familiar device and an operating system (OS).
The IT services of the enterprise clearly cannot purchase all types of devices preferred by the employees, support their OS and also provide 3G/LTE or other wireless connectivity through different operators. The sheer complexity of this option makes BYOD much more simple and attractive. The employee has the main responsibility in managing his device and the enterprise will, for example, pay the cost of official communications. Even if the employee leaves or changes his/her role, the device and the (phone) number are still retained by the employee. BYOD is shown to improve the productivity of the employees and also shown to help increase employee satisfaction with working conditions.
Such benefits have made BYOD a trend many enterprises are willing to embrace. But the security risks involved with BYOD force many enterprises (especially ones dealing with highly sensitive data) to take a very cautious approach. They might consider the huge cost in improving traditional IT security mechanisms to offset the benefits of BYOD.
One of the key issues with BYOD security is how to ensure enterprise data security if the device gets lost, stolen or spoofed. By nature, BYOD devices will be extensively used in social events, gatherings away from work and lost/stolen devices will be a common occurrence. The key problem is how to separate the work context of the BYOD from the social and leisure context. Usually the IT security for device to server/network access (eg: through VPN) involves a two-point security check. The server checks the device authentication and also checks user authentication through a password. The problem with a lost, stolen or spoofed device is that if the passwords can be retrieved (which is not impossible to do) an intruder can simply gain access to the network using employee credentials.
A three-point security check can improve this situation. In addition to the above two checks of the user password and device, the network can require the BYOD device to perform a bio-metric check (such as a finger print, iris recognition or other physical ID) before it grants access. While this is an effective security measure, none (or very few) smart devices today contain these bio-metric checks. Even if they come to the market in future, these devices will be significantly more expensive than standard smart devices and this would drastically reduce employee choice on BYOD.
Thus it is desirable to provide a way of increasing security of network access by a personal device which does have a significant impact on device or network complexity or cost.